[Owasp-leaders] The Gap Between OWASP and Developers

Sethi, Rohit rohit at securitycompass.com
Fri Feb 18 13:55:27 EST 2011

Jeremiah, that's great feedback. As a vendor I agree. It seems to me it's pretty clear that vendors (like myself) have a direct motivation to work on OWASP projects. Of course, OWASP has many non-vendors working on projects.

How do we foster interest in OWASP for people whose primary job is not application security? What is the motivation for them? Maybe some people who fall in the non-vendor camp can articulate why they devote their personal time to this cause. This might help us to find like-minded people.


Rohit Sethi
Vice President, Product Development
Security Compass & SD Elements
Twitter: rksethi

-----Original Message-----
From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Jim Manico
Sent: Friday, February 18, 2011 1:29 PM
To: owasp-leaders at lists.owasp.org; Jeremiah Grossman
Subject: Re: [Owasp-leaders] The Gap Between OWASP and Developers

Hello all,

I'm passing on a message from Jeremiah Grossman on vendor/OWASP/enterprise relations. Insightful comments - especially coming from a vendor. ;)

I'm really happy to see Joe Bernik (CISO at Fifth Third Bank) stepping up as the Industry Committee chair. I think this fits into both Jeremiah's vision and OWASP's mission very well.



OWASP Leaders,
Want to know what scares enterprises, and by extension developers, away from OWASP more than anything else? Us. That is, us vendors. 
They look at who makes up the global board. 100% vendors, of one particular ilk. They look at who sponsors, the Summit or in general, nearly all vendors. They see who gives the presentations. Right, essentially all vendors. I wouldn't be surprised if OWASP's paid-for user membership wasn't also lopsided by vendors. This doesn't leave much room for the enterprise representatives to assume key roles and influence the direction of the organization as they should be afforded.

In the beginning days of OWASP, and the webappsec industry collectively, vendors building up OWASP was absolutely essential. Many of us, myself included, originally came from the enterprise because we saw a real (appsec) problem that needed to be solved and we had to organize and evangelize as vendors -- so we did. We paved the way and should be proud of that. Today though we must recognize that it is no longer 2001, it is 2011 are many organizations as a result have heavily invested in their application security programs. They have much knowledge to share with their peers.
Imagine having CSOs from major eCommerce, financial services, healthcare, etc. organizations stacking the OWASP board. That would speak volumes to their peers, who it is always said need to be more included in OWASP. Enterprises on the OWASP board would hugely encourage other organizations to similarly invest in their application security programs and get actively involved in the community. In my opinion, just adding "developers" doesn't go far enough, and wouldn't influence nearly enough.
Personally, when nominations open, these are the candidates I'd encourage looking and voting for. Time for the enterprises to lead and choose their own destiny.
Jeremiah Grossman
Chief Technology Officer
WhiteHat Security, Inc.
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org

More information about the OWASP-Leaders mailing list